friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8826eae394
ibm-information-center/dist/eclipse/plugins/i5OS.ic.cl_5.4.0.1/chkobjitg.htm

564 lines
21 KiB
HTML
Raw Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<!doctype html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><META http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Check Object Integrity (CHKOBJITG)</title>
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body bgcolor="white">
<script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<a name="CHKOBJITG.Top_Of_Page"></a>
<h2>Check Object Integrity (CHKOBJITG)</h2>
<table width="100%">
<tr>
<td valign="top" align="left"><b>Where allowed to run: </b>All environments (*ALL)<br>
<b>Threadsafe: </b>No
</td>
<td valign="top" align="right">
<a href="#CHKOBJITG.PARAMETERS.TABLE">Parameters</a><br>
<a href="#CHKOBJITG.COMMAND.EXAMPLES">Examples</a><br>
<a href="#CHKOBJITG.ERROR.MESSAGES">Error messages</a></td>
</tr>
</table>
<div> <a name="CHKOBJITG"></a>
<p>The Check Object Integrity (CHKOBJITG) command checks the objects owned by the specified user profile, the objects that match the specified path name, or all objects on the system to determine if any objects have integrity violations. An integrity violation occurs if:
</p>
<ul>
<li>a command has been tampered with.
</li>
<li>an object has a digital signature that is not valid.
</li>
<li>an object has an incorrect domain attribute for its object type.
</li>
<li>a program or module object has been tampered with.
</li>
<li>a library's attributes have been tampered with.
</li>
<li>an object failed a file system scan
</li>
</ul>
<p>If an integrity violation has occurred, the object name, library name (or pathname), object type, object owner, and type of failure are logged to a database file.
</p>
<p>The type of violations that can occur are:
</p>
<ul>
<li>ALTERED - The object has been tampered with.
</li>
<li>BADSIG - The object has a digital signature that is not valid.
</li>
<li>DMN - The domain is not correct for the object type.
</li>
<li>PGMMOD - The runnable object has been tampered with.
</li>
<li>BADLIBUPDA - The library protection attribute is set incorrectly.
</li>
<li>SCANFSFAIL - The object has been scanned by a scan-related exit program, and at the time of that last scan request, the object failed the scan.
</li>
</ul>
<p>Also logged to the database file, but not integrity violations, are objects that do not have a digital signature but can be signed, objects that could not be checked, and objects whose format requires changes to be used on this machine implementation (IMPI to RISC conversion).
</p>
<p>The type of violations that can occur are:
</p>
<ul>
<li>NOSIG - The object can be signed but does not have a digital signature.
</li>
<li>NOTCHECKED - The object cannot be checked, it is in debug mode, saved with storage freed, or compressed.
</li>
<li>NOTTRANS - The object has not been converted to RISC format.
</li>
</ul>
<p>
<b>Note: </b>Objects that are compressed, damaged, saved with storage freed, or in debug mode may not be checked.
</p>
<p>
<b>Note: </b>IBM commands duplicated from a release prior to V5R2 will be logged as ALTERED violations. These commands should be deleted and re-created using the CRTDUPOBJ (Create Duplicate Object) command each time a new release is loaded.
</p>
<p><b>Restrictions:</b>
</p>
<ul>
<li>To check object integrity, you must have audit (*AUDIT) special authority.
</li>
</ul>
<p><b>Note:</b> The CHKOBJITG command may run a long time if:
</p>
<ul>
<li>the user profile specified for the USRPRF parameter owns many objects.
</li>
<li>*ALL is specified for the USRPRF parameter.
</li>
<li>*SYSTEM is specified for the OBJ parameter.
</li>
<li>many objects match the path name pattern specified for the OBJ parameter.
</li>
</ul>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<hr size="2" width="100%">
<div>
<h3><a name="CHKOBJITG.PARAMETERS.TABLE">Parameters</a></h3>
<table border="1" cellpadding="4" cellspacing="0">
<!-- col1="10" col2="15" col3="30" col4="10" -->
<tr>
<th bgcolor="aqua" valign="bottom" align="left">Keyword</th>
<th bgcolor="aqua" valign="bottom" align="left">Description</th>
<th bgcolor="aqua" valign="bottom" align="left">Choices</th>
<th bgcolor="aqua" valign="bottom" align="left">Notes</th>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.USRPRF"><b>USRPRF</b></a></td>
<td valign="top">User profile, or</td>
<td valign="top"><i>Generic name, name</i>, *ALL</td>
<td valign="top">Optional, Positional 1</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.OBJ"><b>OBJ</b></a></td>
<td valign="top">Object</td>
<td valign="top"><i>Path name</i>, *SYSTEM</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top" rowspan="3"><a href="#CHKOBJITG.OUTFILE"><b>OUTFILE</b></a></td>
<td valign="top">File to receive output</td>
<td valign="top"><i>Qualified object name</i></td>
<td valign="top" rowspan="3">Optional, Positional 2</td>
</tr>
<tr>
<td valign="top">Qualifier 1: File to receive output</td>
<td valign="top"><i>Name</i></td>
</tr><tr>
<td valign="top">Qualifier 2: Library</td>
<td valign="top"><i>Name</i>, <b><u>*LIBL</u></b>, *CURLIB</td>
</tr><tr>
<td valign="top" rowspan="3"><a href="#CHKOBJITG.OUTMBR"><b>OUTMBR</b></a></td>
<td valign="top">Output member options</td>
<td valign="top"><i>Element list</i></td>
<td valign="top" rowspan="3">Optional</td>
</tr>
<tr>
<td valign="top">Element 1: Member to receive output</td>
<td valign="top">
<i>Name</i>, <b><u>*FIRST</u></b></td>
</tr>
<tr>
<td valign="top">Element 2: Replace or add records</td>
<td valign="top">
<b><u>*REPLACE</u></b>, *ADD</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.CHKDMN"><b>CHKDMN</b></a></td>
<td valign="top">Check domain</td>
<td valign="top"><b><u>*YES</u></b>, *NO</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.CHKPGMMOD"><b>CHKPGMMOD</b></a></td>
<td valign="top">Check program and module</td>
<td valign="top"><b><u>*YES</u></b>, *NO</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.CHKCMD"><b>CHKCMD</b></a></td>
<td valign="top">Check command</td>
<td valign="top"><b><u>*YES</u></b>, *NO</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.CHKSIG"><b>CHKSIG</b></a></td>
<td valign="top">Check signature</td>
<td valign="top"><b><u>*SIGNED</u></b>, *ALL, *NONE</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.CHKLIB"><b>CHKLIB</b></a></td>
<td valign="top">Check library</td>
<td valign="top"><b><u>*YES</u></b>, *NO</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.SCANFS"><b>SCANFS</b></a></td>
<td valign="top">Scan file systems</td>
<td valign="top"><b><u>*STATUS</u></b>, *YES, *NO</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top"><a href="#CHKOBJITG.SUBTREE"><b>SUBTREE</b></a></td>
<td valign="top">Directory subtree</td>
<td valign="top"><b><u>*NONE</u></b>, *ALL</td>
<td valign="top">Optional</td>
</tr>
</table>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
</div>
<div> <a name="CHKOBJITG.USRPRF"></a>
<h3>User profile (USRPRF)</h3>
<p>Specifies the user profiles for which owned objects will be checked for integrity violations.
</p>
<p>
<b>Note: </b>A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.
</p>
<dl>
<dt><b>*ALL</b></dt>
<dd>Objects owned by all user profiles on the system are to be checked.
</dd>
<dt><b><i>generic-name</i></b></dt>
<dd>Specify the generic names of the user profiles whose owned objects are to be checked.
<p>A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.
</p>
</dd>
<dt><b><i>name</i></b></dt>
<dd>Specify the name of the user profile whose owned objects are to be checked.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.OBJ"></a>
<h3>Object (OBJ)</h3>
<p>Specifies the objects that will be checked for integrity violations.
</p>
<p>
<b>Note: </b>A value must be specified for either the USRPRF parameter or the OBJ parameter. You cannot specify values for both parameters.
</p>
<dl>
<dt><b>*SYSTEM</b></dt>
<dd>All objects in all available auxiliary storage pools (ASPs) are to be checked.
<p>
<b>Note: </b>When *SYSTEM is specified, the only value allowed for the CHKSIG parameter is *ALL.
</p>
</dd>
<dt><b><i>path-name</i></b></dt>
<dd>Specify the path name of the objects that are to be checked.
<p>The object path name can be either a simple name or a name that is qualified with the name of the directory in which the object is located. A pattern can be specified in the last part of the path name. An asterisk (*) matches any number of characters and a question mark (?) matches a single character. If the path name is qualified or contains a pattern, it must be enclosed in apostrophes.
</p>
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.OUTFILE"></a>
<h3>File to receive output (OUTFILE)</h3>
<p>Specifies the database file to which the output of the command is directed. If the file does not exist, this command creates a database file in the specified library. If the file is created, the public authority for the file is the same as the create authority specified for the library in which the file is created. Use the Display Library Description (DSPLIBD) command to show the library's create authority.
</p>
<p><b>Qualifier 1: File to receive output</b>
</p>
<dl>
<dt><b><i>name</i></b></dt>
<dd>Specify the name of the database file to which the command output is directed.
</dd>
</dl>
<p><b>Qualifier 2: Library</b>
</p>
<dl>
<dt><b><u>*LIBL</u></b></dt>
<dd>The library list is used to locate the file. If the file is not found, one is created in the current library. If no current library exists, the file will be created in the QGPL library.
</dd>
<dt><b>*CURLIB</b></dt>
<dd>The current library for the thread is used to locate the file. If no library is specified as the current library for the thread, the QGPL library is used.
</dd>
</dl>
<dl>
<dt><b><i>name</i></b></dt>
<dd>Specify the name of the library to be searched.
</dd>
</dl>
<p>
<b>Note: </b>If a new file is created, system file QASYCHKI in system library QSYS with a format name of QASYCHKI is used as a model.
</p>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.OUTMBR"></a>
<h3>Output member options (OUTMBR)</h3>
<p>Specifies the name of the database file member that receives the output of the command.
</p>
<p><b>Element 1: Member to receive output</b>
</p>
<dl>
<dt><b><u>*FIRST</u></b></dt>
<dd>The first member in the file receives the output. If OUTMBR(*FIRST) is specified and the member does not exist, the system creates a member with the name of the file specified for the <b>File to receive output (OUTFILE)</b> parameter. If the member already exists, you have the option to add new records to the end of the existing member or clear the member and then add the new records.
</dd>
</dl>
<dl>
<dt><b><i>name</i></b></dt>
<dd>Specify the name of the file member that receives the output. If it does not exist, the system creates it.
</dd>
</dl>
<p><b>Element 2: Replace or add records</b>
</p>
<dl>
<dt><b><u>*REPLACE</u></b></dt>
<dd>The system clears the existing member and adds the new records.
</dd>
</dl>
<dl>
<dt><b>*ADD</b></dt>
<dd>The system adds the new records to the end of the existing records.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.CHKDMN"></a>
<h3>Check domain (CHKDMN)</h3>
<p>Specifies whether or not to check object domain integrity.
</p>
<dl>
<dt><b><u>*YES</u></b></dt>
<dd>Object domain integrity is to be checked.
<p><b>Note:</b> The following objects are valid in user domain so they are not checked:
</p>
<ul>
<li>QTEMP library
</li>
<li>all objects of type *PGM
</li>
<li>all objects of type *SQLPKG
</li>
<li>all objects of type *SRVPGM
</li>
</ul>
<p>The following object types are valid in user domain only if the library they are in is specified in system value QALWUSRDMN (or if QALUSRDMN is *ALL).
</p>
<ul>
<li>*USRSPC
</li>
<li>*USRQ
</li>
<li>*USRIDX
</li>
</ul>
</dd>
<dt><b>*NO</b></dt>
<dd>Object domain integrity is not to be checked.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.CHKPGMMOD"></a>
<h3>Check program and module (CHKPGMMOD)</h3>
<p>Specifies whether or not the integrity of program and module objects will be checked.
</p>
<dl>
<dt><b><u>*YES</u></b></dt>
<dd>Program and module integrity is to be checked.
</dd>
<dt><b>*NO</b></dt>
<dd>Program and module integrity is not to be checked.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.CHKCMD"></a>
<h3>Check command (CHKCMD)</h3>
<p>Specifies whether or not the integrity of commands will be checked.
</p>
<dl>
<dt><b><u>*YES</u></b></dt>
<dd>Command integrity is to be checked.
</dd>
<dt><b>*NO</b></dt>
<dd>Command integrity is not to be checked.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.CHKSIG"></a>
<h3>Check signature (CHKSIG)</h3>
<p>Specifies whether or not the digital signatures of objects that can be signed will be checked.
</p>
<dl>
<dt><b><u>*SIGNED</u></b></dt>
<dd>Objects with digital signatures are checked. Any object with a signature that is not valid will be logged.
</dd>
<dt><b>*ALL</b></dt>
<dd>All objects that can be digitally signed are checked. Any object that can be signed but has no signature will be logged. Any object with a signature that is not valid will be logged.
</dd>
<dt><b>*NONE</b></dt>
<dd>Digital signatures will not be checked.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.CHKLIB"></a>
<h3>Check library (CHKLIB)</h3>
<p>Specifies whether or not the integrity of library attributes will be checked.
</p>
<dl>
<dt><b><u>*YES</u></b></dt>
<dd>Library attribute integrity is to be checked.
</dd>
<dt><b>*NO</b></dt>
<dd>Library attribute integrity is not to be checked.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.SCANFS"></a>
<h3>Scan file systems (SCANFS)</h3>
<p>Specifies whether objects in the integrated file systems identified by the QSCANFS system value should be scanned or if existing scan status should be returned.
</p>
<p>The integrated file system scan-related exit points are:
</p>
<ul>
<li>QIBM_QP0L_SCAN_OPEN - Integrated File System Scan on Open Exit Program
</li>
<li>QIBM_QP0L_SCAN_CLOSE - Integrated File System Scan on Close Exit Program
</li>
</ul>
<p>For details on these exit points, see the System API Reference information in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.
</p>
<dl>
<dt><b><u>*STATUS</u></b></dt>
<dd>Objects will not be scanned, but if an object's status indicates it failed the most recent scan operation, a SCANFSFAIL integrity violation will be logged.
</dd>
<dt><b>*YES</b></dt>
<dd>Objects will be scanned according to the rules described in the scan-related exit programs. If an object fails the scan operation, a SCANFSFAIL integrity violation will be logged.
</dd>
<dt><b>*NO</b></dt>
<dd>Objects will not be scanned and their scan failure status will not be logged.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHKOBJITG.SUBTREE"></a>
<h3>Directory subtree (SUBTREE)</h3>
<p>Specifies whether or not to check the objects within the subtree if the object specified by the <b>Object (OBJ)</b> parameter is a directory.
</p>
<dl>
<dt><b><u>*NONE</u></b></dt>
<dd>The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked, but the directory contents will not be checked.
</dd>
<dt><b>*ALL</b></dt>
<dd>The objects specified by the OBJ parameter are checked. If the object is a directory, it will be checked as well as its contents and the contents of all subdirectories.
<p>
<b>Note: </b>Pattern matching from the OBJ parameter only applies to the first level objects. If the first level object is a directory, the pattern matching does not apply to its contents or the contents of its subdirectories.
</p>
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<hr size="2" width="100%">
<div><h3><a name="CHKOBJITG.COMMAND.EXAMPLES">Examples</a> </h3>
<p><b>Example 1: Check Objects Owned by One User Profile</b>
</p>
<p>
<pre>
CHKOBJITG USRPRF(JOEPGMR) OUTFILE(SECCHECK)
OUTMBR(*FIRST *REPLACE)
CHKDMN(*YES) CHKPGMMOD(*YES)
CHKSIG(*YES) CHKLIB(*YES)
</pre>
</p>
<p>This command checks all objects owned by user JOEPGMR for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, objects with digital signatures that are not valid, and libraries whose attributes have been tampered with will cause integrity violation records to be logged in database file SECCHECK. Database file SECCHECK is first cleared of any existing records.
</p>
<p><b>Example 2: Check Objects Owned by Multiple User Profiles</b>
</p>
<p>
<pre>
CHKOBJITG USRPRF(ABC*) OUTFILE(ABCCHECK)
OUTMBR(*FIRST *REPLACE) CHKDMN(*YES)
CHKPGMMOD(*YES) CHKSIG(*NONE) CHKLIB(*YES)
</pre>
</p>
<p>This command checks all objects owned by user profiles that start with ABC for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and libraries whose attributes have been tampered with will cause integrity violation records to be logged to database file ABCCHECK. Database file ABCCHECK will first be cleared of any existing records.
</p>
<p><b>Example 3: Check Objects in One Library</b>
</p>
<p>
<pre>
CHKOBJITG OBJ('/QSYS.LIB/LIB2.LIB/ABC*.*) OUTFILE(SECCHECK2)
OUTMBR(*FIRST *REPLACE)
CHKDMN(*YES) CHKPGMMOD(*YES)
CHKSIG(*ALL) CHKLIB(*NO)
</pre>
</p>
<p>This command checks objects in library LIB2 that have names beginning with ABC that are of any object type for integrity violations. Objects with an incorrect domain, program and module objects that have been tampered with, and objects with not valid or missing digital signatures will cause integrity violation records to be logged to database file SECCHECK2. Database file SECCHECK2 will first be cleared of any existing records.
</p>
<p><b>Example 4: Check Object in a Directory</b>
</p>
<p>
<pre>
CHKOBJITG OBJ('/PartOrder/Forms.jar') OUTFILE(SECCHECK3)
OUTMBR(*FIRST *REPLACE)
CHKDMN(*NO) CHKPGMMOD(*NO)
CHKSIG(*ALL) CHKLIB(*NO)
</pre>
</p>
<p>This command checks file Forms.jar in directory PartOrder for integrity violations. If the file has a digital signature that is not valid or is capable of being signed and has no signature, an integrity violation record will be logged to database file SECCHECK3. Database file SECCHECK3 will first be cleared of any existing records.
</p>
<p><b>Note:</b> Any Java programs associated with this stream file will be checked for valid signatures as well.
</p>
<p><b>Example 5: Check Object in a Directory</b>
</p>
<p>
<pre>
CHKOBJITG OBJ('/Parts/*') OUTFILE(SECCHECK4)
CHKDMN(*NO) CHKPGMMOD(*NO) CHKSIG(*NONE)
CHKLIB(*NO) SCANFS(*YES)
</pre>
</p>
<p>This command scans all files in directory Parts for integrity violations. If a file fails the scan by the scan-related exit program, an integrity violation record will be logged to database file SECCHECK4.
</p>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
<hr size="2" width="100%">
<div><h3><a name="CHKOBJITG.ERROR.MESSAGES">Error messages</a> </h3>
<p><b><u>*ESCAPE Messages</u></b>
</p>
<dl>
<dt><b>CPF22D9</b></dt>
<dd>No user profiles of specified name exist.
</dd>
<dt><b>CPF22F0</b></dt>
<dd>Unexpected errors occurred during processing.
</dd>
<dt><b>CPF2204</b></dt>
<dd>User profile &amp;1 not found.
</dd>
<dt><b>CPF2213</b></dt>
<dd>Not able to allocate user profile &amp;1.
</dd>
<dt><b>CPF222E</b></dt>
<dd>&amp;1 special authority is required.
</dd>
<dt><b>CPF222F</b></dt>
<dd>Command not run.
</dd>
<dt><b>CPF9860</b></dt>
<dd>Error occurred during output file processing.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHKOBJITG.Top_Of_Page">Top</a></td></tr>
</table>
</body>
</html>
Reference in New Issue Copy Permalink